You are here
SEC0049 - ISE 1.1 User and Machine Authentication with EAP Chaining (Part 2)
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video demonstrate how Cisco ISE EAP Chaining can solve caveats on user and machine authentication inherent to Windows native supplicant. In part 1 of this video, we will steps through necessary authentication and authorization policies configurations to support EAP Chaining for both wired and wireless. In part 2, we will go through configuration on NAM Profile Editor to create a .xml file that will be used by the NAM module to gain network access. The video ends with wired and wireless testing and seeing how EAP Chaining appears in authentication log on Cisco ISE.
Topic:
- AnyConnect Secure Mobility 3.x (NAM Module)
- NAM Profile Editor
- User and Machine Authentication with MSCHAPv2 inside EAP-FAST
-
Policy Element Condition
- Authorization (Compound Condition)
-
Policy Element Result
- Authentication (Allowed Protocol)
- Authorization (Downloadable ACL)
- Authorization (Authorization Profile)
- Authentication Policy
- Authorization Policy
Note:
- With automatic provision of PAC, EAP-TLS is used to build a secured tunnel to transport PAC
- PAC is used by both endpoints to construct an EAP-FAST outer tunnel
- The actual authentication occurs in the inner authentication method, which can be any protocols
- EAP chaining allows multiple rounds of authentication to be carried out back-to-back within the same EAP session
Pros
- User can switch seamlessly between wired and wireless as both user/machine authentication take place together at connection attempt.
- No longer relies on machine authentication at Windows login, hence eliminates hassles for user to occasionally having to log off
- No longer uses machine authentication cache on ISE, hence eliminates cache expire problem
Cons
- Additional software needs to be installed on user computers
About Author
Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
14 comments
Network Access Manager Profile Editor
Thanks for the videos, excellent resources i must confess. You had mentioned that "Network Access Manager Profile Editor" can be deployed via package. Can you please explain how? it will be interesting to know how to automate deployment for AnyConnect Secure Mobility Client and Network Access Manager Profile Editor for mass deployment. Was wondering if this can be done via AD group policy??
Looking forward to more of your security videos. Do have any plans to make a video on Client SSL VPN?
Thanks
Network Access Manager Profile Editor
You don't really need to deploy NAM profile editor to your users. You only use it to create a .xml config file. Then you have two options.
1. Manual - Put the .xml file under the Profiles/nam folder that you find under directory extracted from the .iso pre-deploy package. You can then package it back together and send to your user with instruction to install the Anyconnect and NAM. NAM will come up with all the profiles.
2. Automatic - Use your Software Management System (SMS) to deploy NAM from .msi file per Cisco doc below and then place the .xml file in an appropriate folder. The specific procedures depend on the SMS product you use.
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnec...
Client SSL VPN is on our list but might take another while before we get to that.
Hope this helps and thank you for your support
If you find our website helpful, please help support us by sharing our links, recommend website to friends, like our Facebook, Subscribe our YouTube channel, follow us on Twitter
EAP-FAST
Hi
I did this lab yesterday identically to you. I have a windows 8 machine and had the anyconnect 3.0 supplicant installed. When I connected the cable to the switch, anyconnect prompted me for a username and password. If I enter my domain credentials, authentication fails because:
2248 Machine authentication against active directory has failed because of wrong password
After repeating the process a couple of times I had the same result. This morning, I repeated it again, this time removing Anyconnect 3.0 and installing 3.1. After I did this the authentication succeeded. I spent a bit of time connecting/disconnecting wired and wireless (both using EAP-FAST) and it was all working pretty smoothly. Anyconnect never asked me for username and password as in your LAB, which is what I would expect
This afternoon after not touching anything, I went back to the laptop, which had gone to sleep. After starting it again, I had the issue I had initially I saw in that Anyconnect was asking me for a username and password again and authentication was failing for the LAN connection. The authentication via the WLAN would now appear to only attempt PEAP, and I would not see an EAP-FAST attempt in ISE at all.
Is this any anyconnect issue? an ISE issue? a windows 8 issue or an AD issue? (presume not AD as I can connect the laptop to a PSK WLAN and can get onto the domain). Any pointers would be very helpful. I suppose I can eliminate the switch and WLC as both worked, and now both fail. Here is the failure output from ISE for wired
Logged At:
June 4,2013 3:56:18.354 PM
Occurred At:
June 4,2013 3:56:18.354 PM
Server:
ISE01-LON3
Authentication Method:
dot1x
EAP Authentication Method :
EAP-MSCHAPv2
EAP Tunnel Method :
EAP-FAST
Username:
lanuser,host/LON-IS5061
RADIUS Username :
anonymous
Calling Station ID:
00:1E:68:8B:F4:2C
Framed IP Address:
Use Case:
Eap Chaining
Network Device:
IS-ACCESS36-01-MAN1
Network Device Groups:
Device Type#All Device Types#Wired Access Switches,Location#All Locations#Man1
NAS IP Address:
10.192.1.4
NAS Identifier:
NAS Port:
50006
NAS Port ID:
GigabitEthernet0/6
NAS Port Type:
Ethernet
Allowed Protocol:
EAP-FAST
Service Type:
Framed
Identity Store:
AD1,AD1
Authorization Profiles:
DenyAccess
Active Directory Domain:
tcx.prv
Identity Group:
Profiled:Microsoft-Workstation
Allowed Protocol Selection Matched Rule:
LAN-USER-MACHINE
Identity Policy Matched Rule:
Default
Selected Identity Stores:
AD1,Internal Users,AD1,Internal Users
Authorization Policy Matched Rule:
SGA Security Group:
AAA Session ID:
ISE01-LON3/159726141/461
Audit Session ID:
0AC00104000003D84D7FA07B
Tunnel Details:
Cisco-AVPairs:
service-type=Framed
audit-session-id=0AC00104000003D84D7FA07B
Other Attributes:
ConfigVersionId=10,Device Port=1645,DestinationPort=1645,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1546,State=37CPMSessionID=0AC00104000003D84D7FA07B;34SessionID=ISE01-LON3/159726141/461;,EAP-Key-Name=,DetailedInfo=Invalid username or password specified, Retry is allowed,NACRadiusUserName=deanh,CPMSessionID=0AC00104000003D84D7FA07B,EndPointMACAddress=00-1E-68-8B-F4-2C,EndPointMatchedProfile=Microsoft-Workstation,EapChainingResult=User succeeded and machine failed,HostIdentityGroup=Endpoint Identity Groups:Profiled:Microsoft-Workstation,Device Type=Device Type#All Device Types#Wired Access Switches,Location=Location#All Locations#Man1,Model Name=3560,Software Version=15.0,Device IP Address=10.192.1.4,Called-Station-ID=00:14:A9:B2:47:86
Posture Status:
EPS Status:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12100 Prepared EAP-Request proposing EAP-FAST with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12102 Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12811 Extracted TLS Certificate message containing client certificate
12812 Extracted TLS ClientKeyExchange message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12207 Client certificate was requested but not received during tunnel establishment. Will renegotiate and request client certificate inside the tunnel.
12226 Started renegotiated TLS handshake
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12811 Extracted TLS Certificate message containing client certificate
12812 Extracted TLS ClientKeyExchange message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12226 Started renegotiated TLS handshake
12205 Client certificate was requested but not received inside the tunnel. Will continue with inner method.
12149 EAP-FAST built authenticated tunnel for purpose of PAC provisioning
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12209 Starting EAP chaining
12218 Selected identity type 'User'
12125 EAP-FAST inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12212 Identity type provided by client is equal to requested
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - AD1
24430 Authenticating user against Active Directory
24402 User authentication against Active Directory succeeded
22037 Authentication Passed
11824 EAP-MSCHAP authentication attempt passed
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12128 EAP-FAST inner method finished successfully
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12126 EAP-FAST cryptobinding verification passed
12200 Approved EAP-FAST client Tunnel PAC request
12219 Selected identity type 'Machine'
12125 EAP-FAST inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12212 Identity type provided by client is equal to requested
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - AD1
24431 Authenticating machine against Active Directory
24485 Machine authentication against Active Directory has failed because of wrong password
22057 The advanced option that is configured for a failed authentication request is used
22061 The 'Reject' advanced option is configured in case of a failed authentication request
11823 EAP-MSCHAP authentication attempt failed
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11815 Inner EAP-MSCHAP authentication failed
11520 Prepared EAP-Failure for inner EAP method
12117 EAP-FAST inner method finished with failure
22028 Authentication failed and the advanced options are ignored
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
Evaluating Authorization Policy
15004 Matched rule
15016 Selected Authorization Profile - DenyAccess
15039 Rejected per authorization profile
12855 PAC was not sent due to authorization failure
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11514 Unexpectedly received empty TLS message; treating as a rejection by the client
12512 Treat the unexpected TLS acknowledge message as a rejection from the client
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
Thanks
apparently, this is due to a
apparently, this is due to a security limitation in windows 8. I applied the microsoft fix, and it started working.
For Network Access Manager, machine authentication using machine password will not work on Windows 8 / Server 2012 unless a registry fix described in Microsoft KB 2743127 (http://support.microsoft.com/kb/2743127) is applied to the client desktop. This fix includes adding a DWORD value LsaAllowReturningUnencryptedSecrets to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa registry key and setting this value to 1. This change permits Local Security Authority (LSA) to provide clients like Cisco Network Access Manager with the Machine password. It is related to the increased default security settings in Windows 8 / Server 2012. Machine authentication using Machine certificate does not require this change and will work the same as it worked with pre-Windows 8 operating systems.
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnec...
It was strange you mentioned
It was strange you mentioned that you were able to get it to work somewhat before it stopped working. You would think from what you described shouldn't have worked at all. But it is good to know it is a documented caveat. Thank you for sharing.
Yes, it is very strange. I
Yes, it is very strange. I tried for a day to get it to work, with no luck. The next morning it worked, but then stopped with me making no changes to ISE or win8. I raised the issue with a Cisco engineer through my sales channel, who pointed me in the direction on the win8 fix. After applying the registry fix, it has worked ever since, again with me not changing anything on ISE or win8. I have no idea why it worked for that short period either without that fix in place.
User fails but machine passes
When using NAM I initially get both to pass but something on the backend changes that and NAM is prompting me for creds even though singlesign on is enabled. Any thoughts?
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new sessionF
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - Radius.Service-Type
15048 Queried PIP - Radius.NAS-Port-Type
15004 Matched rule - EXAMPLE-EAP-TLS
11507 Extracted EAP-Response/Identity
12100 Prepared EAP-Request proposing EAP-FAST with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12102 Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated
12800 Extracted first TLS record; TLS handshake started
12175 Received Tunnel PAC
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12804 Extracted TLS Finished message
12816 TLS handshake succeeded
12132 EAP-FAST built PAC-based tunnel for purpose of authentication
12209 Starting EAP chaining
12210 Received User Authorization PAC
12211 Received Machine Authorization PAC
12218 Selected identity type 'User'
15041 Evaluating Identity Policy
15006 Matched Default Rule
22072 Selected identity source sequence - EXAMPLE_IDS
15013 Selected Identity Source - EXAMPLE
24432 Looking up user in Active Directory - EXAMPLE
24326 Searching subject object by UPN - USER1@internal.EXAMPLE.net
24328 Subject object not found in a cache
24330 Lookup SID By Name request succeeded
24332 Lookup Object By SID request succeeded
24336 Subject object cached
24351 Account validation succeeded
24420 User's Attributes retrieval from Active Directory succeeded - EXAMPLE
22037 Authentication Passed
12124 EAP-FAST inner method skipped
12219 Selected identity type 'Machine'
15041 Evaluating Identity Policy
15004 Matched rule - Default
15006 Matched Default Rule
22072 Selected identity source sequence - EXAMPLE_IDS
15013 Selected Identity Source - EXAMPLE
24433 Looking up machine in Active Directory - EXAMPLE
24326 Searching subject object by UPN - C0001-USER1$@internal.EXAMPLE.net
24327 Subject object found in a cache
24329 Subject cache entry expired
24330 Lookup SID By Name request succeeded
24332 Lookup Object By SID request succeeded
24336 Subject object cached
24351 Account validation succeeded
24439 Machine Attributes retrieval from Active Directory succeeded - EXAMPLE
22037 Authentication Passed
12124 EAP-FAST inner method skipped
12964 Sent EAP Result TLV indicating success
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12106 EAP-FAST authentication phase finished successfully
11503 Prepared EAP-Success
15036 Evaluating Authorization Policy
15048 Queried PIP - Radius.Service-Type
15048 Queried PIP - Radius.NAS-Port-Type
15048 Queried PIP - Network Access.EapTunnel
24432 Looking up user in Active Directory - EXAMPLE
24325 Resolving identity - USER1
24313 Search for matching accounts at join point - internal.EXAMPLE.net
24319 Single matching account found in forest - EXAMPLE.net
24323 Identity resolution detected single matching account
24355 LDAP fetch succeeded - internal.EXAMPLE.net
24416 User's Groups retrieval from Active Directory succeeded - EXAMPLE
24433 Looking up machine in Active Directory - EXAMPLE
24325 Resolving identity - host/C0001-USER1
24313 Search for matching accounts at join point - internal.EXAMPLE.net
24319 Single matching account found in forest - EXAMPLE.net
24323 Identity resolution detected single matching account
24355 LDAP fetch succeeded - internal.EXAMPLE.net
24435 Machine Groups retrieval from Active Directory succeeded - EXAMPLE
15048 Queried PIP - EXAMPLE.ExternalGroups
15004 Matched rule - WIRED_MACH_EAP-TLS
15016 Selected Authorization Profile - D_INTERNET_ONLY
11022 Added the dACL specified in the Authorization Profile
11002 Returned RADIUS Access-Accept
User fails but machine passes
Form the log provided, both user and machine seemed to pass. Is it not yielding the auth profile you want?
User Fails
It gets an internet only result when it should get full access. This is similar to the video however the NAM is prompting for a username and password even though single signon is used. Im not sure why thats happening.
12124 EAP-FAST inner method skipped
Is this a concern?
User Fails
Did the log shows both user and machine succeeded? What are the conditions for Full access and internet only access? Was this something that used to work and recently broke? You should not be prompted for credential unless they are wrong. Can you try to rebuild the wired profile? The inner method skipped log message does not sounds right but it clearly went through both user and computer authentication so it might not be relevant.
Resolved
I figured out why. So ISE was acknowledging everything and from the ISE perspective all was good. The switch however showed a failed authz. This was because it had trouble implementing the DACL which happen to have a url redirect and a reauth of 1800 seconds and a subfeature of radius-request during reauth. I removed the url-redirect and it connected just fine.
EDIT
Some additional information
on switch: debug radius authenticataion, debug epm all
EPM output: EPM_SESS_ERR:No match for feature DOT1X
DOT1X had trouble applying the redirect and so it
*Mar 2 22:14:59 UTC: EPM_API:In function epm_parse_aaa_access_policies
*Mar 2 22:14:59 UTC: EPM_SESS_EVENT:URL-Redirect= https://www.EXAMPLE.com
*Mar 2 22:14:59 UTC: EPM_SESS_EVENT:CiscoDefined-ACL name= #ACSACL#-IP-DACL_USERMACH_FULLACCESS-564b6aef
*Mar 2 22:14:59 UTC: EPM_API:In function epm_remove_access_policies
*Mar 2 22:14:59 UTC: EPM_API:In function epm_process_policy_attributes
*Mar 2 22:14:59 UTC: EPM_SESS_ERR:No match for feature DOT1X
*Mar 2 22:14:59 UTC: EPM_SESS_ERR:No match for feature DOT1X
*Mar 2 22:14:59 UTC: EPM_API:In function epm_url_redirect_feature_free
*Mar 2 22:14:59 UTC: EPM_SESS_EVENT:Returning feature config for feature DOT1X
*Mar 2 22:14:59 UTC: EPM_SESS_EVENT:Returning feature config for feature DOT1X
*Mar 2 22:14:59 UTC: EPM_API:In function epm_acl_feature_free
*Mar 2 22:14:59 UTC: EPM_SESS_EVENT:Dequeue acl feature from list
*Mar 2 22:14:59 UTC: EPM_API:In function epm_notify_registered_clients
*Mar 2 22:14:59 UTC: EPM_SESS_EVENT:Notified NACL removal to Registered Clients
That makes sense and why we
That makes sense and why we didn't see anything failed on ISE log. Thank you for sharing the resolution.
Machine authentication failure
Hi
i installed anyconnect , made the configuration file using editor , configured the ISE version 2.2 with authentication and authorization policy , for dot1x
made two authz rules one for domain machine and the other for domain user
authentication is open under the SW port
always get the machine authentication failed and then because of the fail open , i passed this step and then get the user successfully authc and authz and the ise logs for the machine gives that machine authentication failed against active directory for wrong password
any advice
BR
Machine authentication failure
Are you using PEAP or EAP-TLS or EAP-FAST? What OS? Windows 7,8 or 10?